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Amendments to the Claims 

1. (previously presented) A system for detecting and restricting denial of service 
attacks, comprising: 

a computer having application software in communication with a network 
protocol, the computer comprising a network interface and a zombie detection driver 
coupled between, and in communication with, the network protocol and the network 
interface, the zombie detection driver comprising: 

a transmit module to receive outgoing packets from a software application 

and to discard the outgoing packets that are determined to be from a zombie 

application prior to being transmitted over a network; 

a receive module to receive incoming packets from a network interface 

and to discard the incoming packets that are determined to be from a zombie 

application; and 

a monitor module in communications with the transmit module and the 
receive module to track transmit packet patterns from and receive packet patterns 
to the software application and to determine whether the software application is 
the zombie application based upon the transmit and receive packet patterns. 

2. (previously presented) The system recited in claim 1, wherein the monitor 
module determines that the software application is the zombie application by identifying 
that the software application is transmitting a large number of packets without receiving 
any packets and placing the software application on a zombie list or a watch list. 
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3. (previously presented) The system recited in claim 2, wherein the monitor 
module alerts the user and the transmit module and the receive module that the software 
application is the zombie application when the software application has previously been 
placed on the zombie list or the watch list and the software application is still transmitting 
a large number of packets without receiving any packets. 

4. (previously presented) The system recited in claim 1, wherein the monitor 
module determines that the software application is a possible zombie application by 
identifying that the software application is not receiving any packets and placing the 
software application on a watch list. 

5. (previously presented) The system recited in claim 4, wherein the monitor 
module alerts the user and the transmit module and the receive module that the software 
application is the zombie application when the software application has previously been 
placed on the watch list and the software application is now transmitting a large number 
of packets. 

6. (previously presented) The system recited in claim 1, wherein the monitor 
module determines that the software application is a possible zombie application by 
identifying that the software application is rarely receiving any packets and placing the 
software application on a watch list. 
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7. (previously presented) The system recited in claim 6, wherein the monitor 
module alerts the user and the transmit module and the receive module that the software 
application is the zombie application when the software application has previously been 
placed on the watch list and the software application is now transmitting a large number 
of packets. 

8. (previously presented) The system recited in claim 1, wherein the monitor 
module determines that the software application is a possible zombie application by 
identifying that the software application, after having received some packets, has stopped 
sending packets or receiving more packets and placing the software application on a 
watch list. 

9. (previously presented) The system recited in claim 8, wherein the monitor 
module alerts the user and the transmit module and the receive module that the software 
application is the zombie application when the software application has previously been 
placed on the watch list and the software application is now transmitting a large number 
of packets. 

10. (previously presented) A system for detecting and restricting denial of service 
attacks, comprising: 

a transmit module to receive packets from a software application and discard 
packets that are determined to be from a zombie application; 
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a receive module to receive packets from a network interface and discard packets 
that are determined to be from a zombie application; and 

a monitor module in communications with the transmit module and the receive 
module to track packet transmission and reception patterns to and from the software 
application and to determine whether the software application is a zombie application 
based on the packet transmission and reception patterns, wherein the monitor module to 
identify the software application as a zombie application when the software application is 
transmitting a large number of packets without receiving any packets and to place the 
software application on a zombie list or a watch list, wherein the monitor module will 
retain the software application on the watch list when a zombie rating for the software 
application exceeds a predetermined value, the zombie rating being based on whether the 
software application is an application or a process and whether the software application is 
user initiated or initiated at system startup. 

1 1. (previously presented) A system for detecting and restricting denial of service 
attacks, comprising: 

a transmit module to receive packets from a software application and discard 
packets that are determined to be from a zombie application; 

a receive module to receive packets from a network interface and discard packets 
that are determined to be from a zombie application; and 

a monitor code in communications with the transmit module and the receive 
module to track packet transmission and reception patterns to and from the software 
application and determine whether the software application is a zombie application based 
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upon the packet transmission and reception pattern, the monitor module to identify the 
software application as the zombie application when the software application is not 
receiving any packets and to place the software application on a watch list, wherein the 
monitor module will retain the software application on the watch list when a zombie 
rating for the software application exceeds a predetermined value, the zombie rating 
being based on whether the software application is an application or a process and 
whether the software application is user initiated or initiated at system startup. 

12. (previously presented) A system for detecting and restricting denial of service 
attacks, comprising: 

a transmit module to receive packets from a software application and discard 
packets that are determined to be from a zombie application; 

a receive module to receive packets from a network interface and discard packets 
that are determined to be from a zombie application; and 

a monitor module in communications with the transmit module and the receive 
module to track packet transmission and reception patterns to and from the software 
application and to determine whether the software application is a zombie application 
based on the packet transmission and reception patterns, the monitor module to identify 
the software application as a possible zombie application when the software application is 
rarely receiving any packets and to place the software application on a watch list, wherein 
the monitor module will retain the software application on the watch list when a zombie 
rating for the software application exceeds a predetermined value, the zombie rating 
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being based on whether the software application is an application or a process and 
whether the software application is user initiated or initiated at system startup. 

13. (previously presented) A system for detecting and restricting denial of service 
attacks, comprising: 

a transmit module to receive packets from a software application and discard 
packets that are determined to be from a zombie application; 

a receive module to receive packets from a network interface and discard packets 
that are determined to be from a zombie application; and 

a monitor module in communications with the transmit module and the receive 
module to track packet transmission and reception patterns to and from the software 
application and to determine whether the software application is a zombie application 
based on the packet transmission and reception patterns, the monitor module to identify 
the software application as a possible zombie application when the software application, 
after having received some packets, has stopped sending packets or receiving more 
packets and to place the software application on a watch list, wherein the monitor module 
will retain the software application on the watch list when a zombie rating for the 
software application exceeds a predetermined value, the zombie rating being based on 
whether the software application is an application or a process and whether the software 
application is user initiated or initiated at system startup. 

14. (currently amended) A method of detecting and restricting denial of service 
attacks, comprising: 
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monitoring incoming and outgoing packets to and from a software application; 

placing the software application on a zombie list or a watch list when a pattern of 
the incoming or outgoing packets to or from the software application matches that of the 
characteristics of a zombie application; 

determining whether the software application is a known good application, 
wherein if the software application is not a known good application, then applying a 
zombie rating to the software application , wherein the zombie rating is based on the 
factors of whether the software application is an application or a process and whether the 
software application is user initiated or initiated at system startup, and if the software 
application is a known good application, then removing the software application from the 
watch list and/or zombie list; and 

blocking reception and transmission of packets to and from the software 
application when the software application has been placed on the watch list or the zombie 
list in a previous cycle and the software application further exhibits the characteristics of 
a zombie application. 

15. (original) The method recited in claim 14, wherein the characteristics of a 
zombie application are transmitting a large number of packets while receiving no 
incoming packets. 

16. (original) The method recited in claim 14, wherein the characteristics of a 
zombie application are receiving no incoming packets and having a zombie rating 
exceeding a predetermined value. 
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17. (cancelled) 

18. (original) The method recited in claim 14, wherein the characteristics of a 
zombie application are rarely receiving incoming packets and having a zombie rating 
exceeding a predetermined value. 

19. (cancelled) 

20. (original) The method recited in claim 14, wherein the characteristics of a 
zombie application are receiving incoming packets at first and then not receiving or 
sending any packets and having a zombie rating exceeding a predetermined value. 

21. (cancelled) 

22. (currently amended) A computer program, comprising: 

monitoring incoming and outgoing packets to and from a software application; 

placing the software application on a zombie list or a watch list when a pattern of 
the incoming or outgoing packets to or from the software application matches that of the 
characteristics of a zombie application; 

determining whether the software application is a known good application, 
wherein if the software application is not a known good application, then applying a 
zombie rating to the software applicatio n, wherein the zombie rating is based on the 
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factors of whether the software application is an application or a process and whether the 
software application is user initiated or initiated at system startup , and if the software 
application is a known good application, then removing the software application from the 
watch list and/or zombie list and 

blocking reception and transmission of packets to and from the software 
application when the software application has been placed on the watch list or the zombie 
list in a previous cycle and the software application further exhibits the characteristics of 
a zombie application. 

23. (original) The computer program recited in claim 22, wherein the 
characteristics of a zombie application are transmitting a large number of packets while 
receiving no incoming packets. 

24. (currently amended) The computer program recited in claim 22 23-, wherein 
the characteristics of a zombie application are receiving no incoming packets and having 
a zombie rating exceeding a predetermined value. 

25. (cancelled) 

26. (currently amended) The computer program recited in claim 22 25, wherein 
the characteristics of a zombie application are rarely receiving incoming packets and 
having a zombie rating exceeding a predetermined value. 
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27. (cancelled) 

28. (original) The computer program recited in claim 22, wherein the 
characteristics of a zombie application are receiving incoming packets at first and then 
not receiving or sending any packets and having a zombie rating exceeding a 
predetermined value. 

29. (cancelled) 

30. (previously presented) The system of claim 1, wherein the incoming packets 
determined to be from the zombie application include request packets comprising target 
device information and a start sequence to enable the zombie application to begin 
executing, wherein the receive module discards the request packets before the request 
packets are allowed to enter a network protocol module. 

31. (previously presented) The system of claim 1, wherein the receive module 
blocks the zombie applications from registering for network access via a network 
protocol module. 

32. (cancelled) 



33. (cancelled) 



34. (cancelled) 



35. (cancelled) 



36. (cancelled) 



37. (cancelled) 



38. (cancelled) 



39. (cancelled) 



40. (cancelled) 



41. (cancelled) 



42. (cancelled) 



43. (cancelled) 



44. (cancelled) 



45. (cancelled) 
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46. (previously presented) The system of claim 10, wherein the monitor module to 
alert the user, the transmit module, and the receive module that the software application is 
the zombie application when the software application has previously been placed on the 
zombie list or the watch list and the software application is still transmitting a large 
number of packets without receiving any packets. 

47. (previously presented) The system of claim 1 1, wherein the monitor module to 
alert the user, the transmit module, and the receive module that the software application is 
the zombie application when the software application has previously been placed on the 
watch list and the software application is now transmitting a large number of packets. 

48. (previously presented) The system of claim 12, wherein the monitor module to 
alert the user, the transmit module, and the receive module that the software application is 
the zombie application when the software application has previously been placed on the 
watch list and the software application is now transmitting a large number of packets. 

49. (previously presented) The system of claim 13, wherein the monitor module to 
alert the user, the transmit module, and the receive module that the software application is 
the zombie application when the software application has previously been placed on the 
watch list and the software application is now transmitting a large number of packets. 

50. (previously presented) A method of detecting and restricting denial of service 
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attacks, comprising: 

monitoring incoming and outgoing packets to and from a software application; 

placing the software application on a zombie list or a watch list when a pattern of 
the incoming or outgoing packets from the software application matches characteristics 
of a zombie application; 

providing a zombie rating to the software application, wherein the zombie rating 
is based on whether the software application is an application or a process and whether 
the application is user initiated or initiated at system startup; and 

blocking reception and transmission of packets to the software application when 
the software application has been placed on the watch list or the zombie list in a previous 
cycle and the software application further exhibits the characteristics of a zombie 
application. 

51. (previously presented) The method of claim 50, wherein the software 
application is maintained on the watch list and/or the zombie list when the zombie rating 
exceeds a predetermined value. 



